Identity and Access Management (IAM)

To deploy OMT and the suite on Google Cloud, the following account and resources must be prepared with the required permissions.

On Google Cloud, permissions change with roles. For more information see IAM basic and predefined roles reference.

Create a new service account and assign the required permissions to it:

gcloud iam service-accounts create <NAME> --description=<DESCRIPTION> --display-name=<DISPLAY_NAME>

Where:

<NAME> is the internal name of the new service account. The identifier of the new service account, which must be used for any subsequent commands, will be the email address contained in the result of the command.

<DESCRIPTION> is an optional description of the account

<DISPLAY_NAME> is the name to display for the account, that is, the portion before the @ in the email address that identifies the account

For example:

gcloud iam service-accounts create gcp-arcsight-test-sa
--description="Service account configured with permissions to be used while deploying Arcsight on GCP"
--display-name="gcp-arcsight-test-sa"

The new service account will require to be assigned the following permissions:

Compute Admin
Compute Storage Admin
Editor
Kubernetes Engine Admin
Service Account Token Creator

The command to grant permissions is:

gcloud projects add-iam-policy-binding <PROJECT_ID> --member=<PRINCIPAL> --role=<ROLE>

Where:

<PROJECT_ID> is the ID or the name related to the project that you will be using

<PRINCIPAL> is the service account that will be granted the permission

<ROLE> is the role or permission that is being granted by executing the command

The following examples grant each of the permissions listed above to the service account:

The Compute Admin permission:

gcloud projects add-iam-policy-binding security-arcsight-nonprod
--member="serviceAccount:gcp-arcsight-test-sa@security-arcsight-nonprod.iam.gserviceaccount.com"
--role="roles/compute.admin"

The Compute Storage Admin permission:

gcloud projects add-iam-policy-binding security-arcsight-nonprod
--member="serviceAccount:gcp-arcsight-test-sa@security-arcsight-nonprod.iam.gserviceaccount.com"
--role="roles/compute.storageAdmin"

The Editor permission:

gcloud projects add-iam-policy-binding security-arcsight-nonprod
--member="serviceAccount:gcp-arcsight-test-sa@security-arcsight-nonprod.iam.gserviceaccount.com"
--role="roles/editor"

The Kubernetes Engine Admin permission:

gcloud projects add-iam-policy-binding security-arcsight-nonprod
--member="serviceAccount:gcp-arcsight-test-sa@security-arcsight-nonprod.iam.gserviceaccount.com"
--role="roles/container.admin"

The Service Account Token Creator permission:

gcloud projects add-iam-policy-binding security-arcsight-nonprod
--member="serviceAccount:gcp-arcsight-test-sa@security-arcsight-nonprod.iam.gserviceaccount.com"
--role="roles/iam.serviceAccountTokenCreator"

Remember to note down all incumbent configuration values in your Google Cloud worksheet